【发布时间】:2017-10-09 21:14:34
【问题描述】:
我在账户“A”中有一个 AWS ElasticSearch 集群。
我正在尝试在账户“B”中创建一个 lambda(从 DynamoDB 流触发),它将写入账户“A”中的 ES。
我收到以下错误:
{
"Message":"User: arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToES is not authorized to perform: es:ESHttpPost on resource: beta-na-lifeguard"
}
我尝试将 STS 和 ROLE 放入 ES 访问策略(在帐户“A”中),但没有成功。这是我的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:user/beta-elasticsearch-admin"
},
"Action": "es:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AccountA:user/beta-elasticsearch-readwrite",
"arn:aws:iam::AccountA:role/beta-na-DynamoDBStreamLambdaElasticSearch",
"arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToES",
"arn:aws:iam::AccountB:role/service-role/lambdaRole1"
]
},
"Action": [
"es:ESHttpGet",
"es:ESHttpPost",
"es:ESHttpPut"
],
"Resource": "*"
}
]
}
【问题讨论】:
标签: amazon-web-services elasticsearch lambda